slk 0.2.0 → 0.4.0

data/lib/slk/services/encryption.rb

@@ -6,21 +6,41 @@ module Slk
   module Services
     # Encrypts/decrypts tokens using age with SSH keys
     class Encryption
+      SUPPORTED_KEY_TYPES = %w[ssh-rsa ssh-ed25519].freeze
+
+      attr_accessor :on_prompt_pub_key
+
       def available?
-        system('which age > /dev/null 2>&1')
+        # Cross-platform check for age command
+        _output, _error, status = Open3.capture3('age', '--version')
+        status.success?
+      rescue Errno::ENOENT
+        false
       end
 
-      def encrypt(content, ssh_key_path, output_file) # rubocop:disable Naming/PredicateMethod
-        raise EncryptionError, 'age encryption tool not available' unless available?
+      # Validate that the SSH key is a type supported by age
+      # @param ssh_key_path [String] Path to the SSH private key (public key at .pub)
+      # @return [true] if valid
+      # @raise [EncryptionError] if private key not found, public key not found,
+      #   key type is unsupported, or public key doesn't match private key
+      def validate_key_type!(ssh_key_path)
+        raise EncryptionError, "Private key not found: #{ssh_key_path}" unless File.exist?(ssh_key_path)
 
-        public_key = "#{ssh_key_path}.pub"
-        raise EncryptionError, "Public key not found: #{public_key}" unless File.exist?(public_key)
-
-        _output, error, status = Open3.capture3('age', '-R', public_key, '-o', output_file, stdin_data: content)
+        public_key = find_public_key(ssh_key_path)
+        validate_public_key_type!(public_key)
+        validate_key_pair_match!(ssh_key_path, public_key)
+      end
 
-        raise EncryptionError, "Failed to encrypt: #{error.strip}" unless status.success?
+      # Encrypt content using age with an SSH public key
+      # @param content [String] The content to encrypt
+      # @param ssh_key_path [String] Path to the SSH private key (public key at .pub)
+      # @param output_file [String] Path where encrypted output will be written
+      # @raise [EncryptionError] If age tool not available or public key not found
+      def encrypt(content, ssh_key_path, output_file)
+        raise EncryptionError, 'age encryption tool not available' unless available?
 
-        true
+        public_key = find_public_key(ssh_key_path)
+        run_age_encrypt(content, public_key, output_file)
       end
 
       # Decrypt an age-encrypted file using an SSH key
@@ -29,14 +49,97 @@ module Slk
       # @return [String, nil] Decrypted content, or nil if file doesn't exist
       # @raise [EncryptionError] If age tool not available, key not found, or decryption fails
       def decrypt(encrypted_file, ssh_key_path)
-        # File not existing is not an error - it just means no encrypted data yet
         return nil unless File.exist?(encrypted_file)
 
         raise EncryptionError, 'age encryption tool not available' unless available?
         raise EncryptionError, "SSH key not found: #{ssh_key_path}" unless File.exist?(ssh_key_path)
 
-        output, error, status = Open3.capture3('age', '-d', '-i', ssh_key_path, encrypted_file)
+        run_age_decrypt(encrypted_file, ssh_key_path)
+      end
+
+      private
+
+      def find_public_key(ssh_key_path)
+        default_pub = "#{ssh_key_path}.pub"
+        return default_pub if File.exist?(default_pub)
+
+        prompted_path = prompt_and_validate_public_key(ssh_key_path)
+        return prompted_path if prompted_path
+
+        raise EncryptionError, "Public key not found: #{default_pub}"
+      end
+
+      def prompt_and_validate_public_key(ssh_key_path)
+        return nil unless @on_prompt_pub_key
+
+        prompted_path = @on_prompt_pub_key.call(ssh_key_path)
+        return nil unless prompted_path && File.exist?(prompted_path)
+
+        # Validate the prompted key before accepting it
+        validate_public_key_type!(prompted_path)
+        validate_key_pair_match!(ssh_key_path, prompted_path)
+        prompted_path
+      end
+
+      def validate_public_key_type!(public_key)
+        first_line = File.read(public_key).lines.first&.strip || ''
+        key_type = first_line.split.first
 
+        return true if SUPPORTED_KEY_TYPES.include?(key_type)
+
+        raise EncryptionError,
+              "Unsupported SSH key type: #{key_type || 'unknown'}. " \
+              "age only supports: #{SUPPORTED_KEY_TYPES.join(', ')}"
+      end
+
+      def validate_key_pair_match!(private_key_path, public_key_path)
+        derived_pub = derive_public_key(private_key_path)
+        return true unless derived_pub # Skip validation if ssh-keygen not available
+
+        provided_pub = File.read(public_key_path).lines.first&.strip || ''
+        return true if keys_match?(derived_pub, provided_pub)
+
+        raise EncryptionError,
+              'Public key does not match private key. ' \
+              'Please provide the correct public key for this private key.'
+      end
+
+      def derive_public_key(private_key_path)
+        output, error, status = Open3.capture3('ssh-keygen', '-y', '-f', private_key_path)
+        return output.strip if status.success?
+
+        # Check if ssh-keygen is missing vs other failures
+        return nil if ssh_keygen_not_found?(error)
+
+        # For other failures (passphrase-protected, corrupted), warn the user
+        raise EncryptionError,
+              "Cannot verify key pair: #{error.strip}. " \
+              'This may indicate a passphrase-protected or corrupted private key.'
+      end
+
+      # Heuristics for detecting missing ssh-keygen command.
+      # These strings vary by OS/shell but cover common cases.
+      def ssh_keygen_not_found?(error)
+        error.include?('command not found') ||
+          error.include?('not recognized') ||
+          error.include?('No such file or directory')
+      end
+
+      # SSH public key format: "type base64-data comment"
+      # Compare only type and key data, ignore the optional comment field
+      def keys_match?(derived, provided)
+        derived_parts = derived.split[0..1]
+        provided_parts = provided.split[0..1]
+        derived_parts == provided_parts
+      end
+
+      def run_age_encrypt(content, public_key, output_file)
+        _output, error, status = Open3.capture3('age', '-R', public_key, '-o', output_file, stdin_data: content)
+        raise EncryptionError, "Failed to encrypt: #{error.strip}" unless status.success?
+      end
+
+      def run_age_decrypt(encrypted_file, ssh_key_path)
+        output, error, status = Open3.capture3('age', '-d', '-i', ssh_key_path, encrypted_file)
         raise EncryptionError, "Failed to decrypt #{encrypted_file}: #{error.strip}" unless status.success?
 
         output

data/lib/slk/services/setup_wizard.rb

@@ -122,9 +122,9 @@ module Slk
         @output.success('Setup complete!')
         @output.puts
         @output.puts 'Try these commands:'
-        @output.puts '  slack status           - View your status'
-        @output.puts '  slack messages #general - Read channel messages'
-        @output.puts '  slack help             - See all commands'
+        @output.puts '  slk status           - View your status'
+        @output.puts '  slk messages general - Read channel messages'
+        @output.puts '  slk help             - See all commands'
       end
     end
   end

data/lib/slk/services/target_resolver.rb

@@ -91,17 +91,40 @@ module Slk
       end
 
       def find_user_id(workspace, username)
+        # Check cache first (reverse lookup by name)
+        cached_id = @cache.get_user_id_by_name(workspace.name, username)
+        return cached_id if cached_id
+
+        # Fall back to API call
+        fetch_user_id_from_api(workspace, username)
+      end
+
+      def fetch_user_id_from_api(workspace, username)
         api = @runner.users_api(workspace.name)
-        response = api.list
-        users = response['members'] || []
+        users = api.list['members'] || []
+        user = find_user_by_name(users, username)
+        cache_user(workspace.name, user) if user
+        user&.dig('id')
+      end
 
-        user = users.find do |u|
+      def find_user_by_name(users, username)
+        users.find do |u|
           u['name'] == username ||
             u.dig('profile', 'display_name') == username ||
             u.dig('profile', 'real_name') == username
         end
+      end
 
-        user&.dig('id')
+      def cache_user(workspace_name, user)
+        display_name = extract_display_name(user)
+        @cache.set_user(workspace_name, user['id'], display_name, persist: true)
+      end
+
+      def extract_display_name(user)
+        name = user.dig('profile', 'display_name').to_s.strip
+        name = user.dig('profile', 'real_name') if name.empty?
+        name = user['name'] if name.to_s.empty?
+        name
       end
     end
   end

data/lib/slk/services/token_loader.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module Slk
+  module Services
+    # Handles loading tokens from encrypted or plaintext files
+    class TokenLoader
+      def initialize(encryption:, paths:)
+        @encryption = encryption
+        @paths = paths
+      end
+
+      def load(ssh_key)
+        if encrypted_file_exists? && ssh_key
+          decrypt_with_key(ssh_key)
+        elsif encrypted_file_exists?
+          raise EncryptionError, 'Cannot read encrypted tokens without SSH key'
+        elsif plain_file_exists?
+          parse_plain_file
+        else
+          {}
+        end
+      end
+
+      def load_auto(config)
+        if encrypted_file_exists?
+          load_encrypted(config)
+        elsif plain_file_exists?
+          parse_plain_file
+        else
+          {}
+        end
+      end
+
+      def load_encrypted(config)
+        raise_missing_key_error unless config.ssh_key
+        decrypt_with_key(config.ssh_key)
+      end
+
+      def raise_missing_key_error
+        raise EncryptionError,
+              'Cannot read encrypted tokens - no SSH key configured. Run: slk config set ssh_key <path>'
+      end
+
+      def encrypted_file_exists?
+        File.exist?(encrypted_tokens_file)
+      end
+
+      def plain_file_exists?
+        File.exist?(plain_tokens_file)
+      end
+
+      def encrypted_tokens_file
+        @paths.config_file('tokens.age')
+      end
+
+      def plain_tokens_file
+        @paths.config_file('tokens.json')
+      end
+
+      private
+
+      def decrypt_with_key(ssh_key)
+        content = @encryption.decrypt(encrypted_tokens_file, ssh_key)
+        if content.nil?
+          raise TokenStoreError, "Encrypted tokens file disappeared unexpectedly: #{encrypted_tokens_file}"
+        end
+
+        JSON.parse(content)
+      rescue JSON::ParserError => e
+        raise TokenStoreError, "Encrypted tokens file is corrupted: #{e.message}"
+      end
+
+      def parse_plain_file
+        content = File.read(plain_tokens_file)
+        JSON.parse(content)
+      rescue Errno::ENOENT
+        raise TokenStoreError, "Tokens file disappeared unexpectedly: #{plain_tokens_file}"
+      rescue JSON::ParserError => e
+        raise TokenStoreError, "Tokens file #{plain_tokens_file} is corrupted: #{e.message}"
+      end
+    end
+  end
+end

data/lib/slk/services/token_saver.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+module Slk
+  module Services
+    # Handles saving tokens to encrypted or plaintext files.
+    # Uses atomic writes (temp file + mv) for the token file itself.
+    class TokenSaver
+      # File system errors we catch and wrap in TokenStoreError
+      FILE_ERRORS = [
+        Errno::ENOENT,
+        Errno::EACCES,
+        Errno::EPERM,
+        Errno::ENOSPC,
+        Errno::EDQUOT,
+        Errno::EROFS,
+        Errno::EIO
+      ].freeze
+
+      def initialize(encryption:, paths:)
+        @encryption = encryption
+        @paths = paths
+      end
+
+      def save(tokens, ssh_key)
+        @paths.ensure_config_dir
+
+        if ssh_key
+          save_encrypted(tokens, ssh_key)
+        else
+          save_plaintext(tokens)
+        end
+      end
+
+      def save_with_cleanup(tokens, ssh_key)
+        @paths.ensure_config_dir
+
+        if ssh_key
+          save_encrypted(tokens, ssh_key)
+          FileUtils.rm_f(plain_tokens_file)
+        else
+          save_plaintext(tokens)
+          FileUtils.rm_f(encrypted_tokens_file)
+        end
+      end
+
+      private
+
+      def save_encrypted(tokens, ssh_key)
+        temp_file = "#{encrypted_tokens_file}.tmp"
+        @encryption.encrypt(JSON.generate(tokens), ssh_key, temp_file)
+        FileUtils.mv(temp_file, encrypted_tokens_file)
+        FileUtils.rm_f(plain_tokens_file)
+      rescue EncryptionError => e
+        FileUtils.rm_f(temp_file)
+        raise TokenStoreError, "Failed to encrypt tokens: #{e.message}"
+      rescue *FILE_ERRORS => e
+        FileUtils.rm_f(temp_file)
+        raise TokenStoreError, "Failed to save encrypted tokens: #{e.message}"
+      end
+
+      def save_plaintext(tokens)
+        temp_file = "#{plain_tokens_file}.tmp"
+        File.write(temp_file, JSON.pretty_generate(tokens))
+        restrict_file_permissions(temp_file)
+        FileUtils.mv(temp_file, plain_tokens_file)
+      rescue *FILE_ERRORS => e
+        FileUtils.rm_f(temp_file)
+        raise TokenStoreError, "Failed to save tokens: #{e.message}"
+      end
+
+      # Restrict file to owner-only access.
+      # On Unix: chmod 600. On Windows: chmod is a no-op for security;
+      # files in %APPDATA% are already user-private by default.
+      def restrict_file_permissions(file)
+        File.chmod(0o600, file) unless Gem.win_platform?
+      end
+
+      def encrypted_tokens_file
+        @paths.config_file('tokens.age')
+      end
+
+      def plain_tokens_file
+        @paths.config_file('tokens.json')
+      end
+    end
+  end
+end

data/lib/slk/services/token_store.rb

@@ -1,118 +1,88 @@
 # frozen_string_literal: true
 
+require_relative 'token_loader'
+require_relative 'token_saver'
+
 module Slk
   module Services
     # Manages workspace tokens with optional encryption
     class TokenStore
-      attr_accessor :on_warning
+      attr_accessor :on_warning, :on_info, :on_prompt_pub_key
 
       def initialize(config: nil, encryption: nil, paths: nil)
         @config = config || Configuration.new
         @encryption = encryption || Encryption.new
         @paths = paths || Support::XdgPaths.new
+        @loader = TokenLoader.new(encryption: @encryption, paths: @paths)
+        @saver = TokenSaver.new(encryption: @encryption, paths: @paths)
         @on_warning = nil
+        @on_info = nil
+        @on_prompt_pub_key = nil
       end
 
       def workspace(name)
-        tokens = load_tokens
+        tokens = @loader.load_auto(@config)
         data = tokens[name]
         raise WorkspaceNotFoundError, "Workspace '#{name}' not found" unless data
 
-        Models::Workspace.new(
-          name: name,
-          token: data['token'],
-          cookie: data['cookie']
-        )
+        Models::Workspace.new(name: name, token: data['token'], cookie: data['cookie'])
       end
 
       def all_workspaces
-        load_tokens.map do |name, data|
-          Models::Workspace.new(
-            name: name,
-            token: data['token'],
-            cookie: data['cookie']
-          )
+        @loader.load_auto(@config).map do |name, data|
+          Models::Workspace.new(name: name, token: data['token'], cookie: data['cookie'])
         end
       end
 
       def workspace_names
-        load_tokens.keys
+        @loader.load_auto(@config).keys
       end
 
       def exists?(name)
-        load_tokens.key?(name)
+        @loader.load_auto(@config).key?(name)
       end
 
       def add(name, token, cookie = nil)
-        # Validate by constructing a Workspace (will raise ArgumentError if invalid)
         Models::Workspace.new(name: name, token: token, cookie: cookie)
-
-        tokens = load_tokens
+        tokens = @loader.load_auto(@config)
         tokens[name] = { 'token' => token, 'cookie' => cookie }.compact
-        save_tokens(tokens)
+        @saver.save(tokens, @config.ssh_key)
       end
 
       def remove(name) # rubocop:disable Naming/PredicateMethod
-        tokens = load_tokens
+        tokens = @loader.load_auto(@config)
         removed = tokens.delete(name)
-        save_tokens(tokens) if removed
+        @saver.save(tokens, @config.ssh_key) if removed
         !removed.nil?
       end
 
       def empty?
-        load_tokens.empty?
+        @loader.load_auto(@config).empty?
       end
 
-      private
+      def migrate_encryption(old_ssh_key, new_ssh_key)
+        return if old_ssh_key == new_ssh_key
 
-      def load_tokens
-        if encrypted_file_exists?
-          decrypt_tokens
-        elsif plain_file_exists?
-          JSON.parse(File.read(plain_tokens_file))
-        else
-          {}
-        end
-      rescue JSON::ParserError => e
-        raise TokenStoreError, "Tokens file #{plain_tokens_file} is corrupted: #{e.message}"
+        tokens = @loader.load(old_ssh_key)
+        return if tokens.empty?
+
+        @encryption.on_prompt_pub_key = @on_prompt_pub_key
+        @encryption.validate_key_type!(new_ssh_key) if new_ssh_key
+        @saver.save_with_cleanup(tokens, new_ssh_key)
+        notify_encryption_change(old_ssh_key, new_ssh_key)
       end
 
-      def save_tokens(tokens)
-        @paths.ensure_config_dir
+      private
 
-        if @config.ssh_key
-          # When encryption is configured, always use it - don't silently fall back
-          @encryption.encrypt(JSON.generate(tokens), @config.ssh_key, encrypted_tokens_file)
-          FileUtils.rm_f(plain_tokens_file)
+      def notify_encryption_change(old_ssh_key, new_ssh_key)
+        if new_ssh_key && old_ssh_key
+          @on_info&.call('Tokens have been re-encrypted with the new SSH key.')
+        elsif new_ssh_key
+          @on_info&.call('Tokens have been encrypted with the new SSH key.')
         else
-          # Plain text storage (no encryption configured)
-          File.write(plain_tokens_file, JSON.pretty_generate(tokens))
-          File.chmod(0o600, plain_tokens_file)
+          @on_warning&.call('Tokens are now stored in plaintext.')
         end
       end
-
-      def decrypt_tokens
-        content = @encryption.decrypt(encrypted_tokens_file, @config.ssh_key)
-        content ? JSON.parse(content) : {}
-      rescue JSON::ParserError => e
-        raise TokenStoreError, "Encrypted tokens file is corrupted: #{e.message}"
-      end
-
-      def encrypted_file_exists?
-        File.exist?(encrypted_tokens_file)
-      end
-
-      def plain_file_exists?
-        File.exist?(plain_tokens_file)
-      end
-
-      def encrypted_tokens_file
-        @paths.config_file('tokens.age')
-      end
-
-      def plain_tokens_file
-        @paths.config_file('tokens.json')
-      end
     end
   end
 end

data/lib/slk/services/user_lookup.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+module Slk
+  module Services
+    # Consolidated service for user name resolution
+    # Provides ID → name and name → ID lookups with caching
+    class UserLookup
+      def initialize(cache_store:, workspace:, api_client: nil, on_debug: nil)
+        @cache = cache_store
+        @api = api_client
+        @workspace = workspace
+        @on_debug = on_debug
+      end
+
+      # Resolve user ID to display name (most common use case)
+      # @param user_id [String] Slack user ID (e.g., "U123ABC")
+      # @return [String, nil] Display name or nil if not found
+      def resolve_name(user_id)
+        return nil if user_id.to_s.empty?
+
+        cached = @cache.get_user(@workspace.name, user_id)
+        return cached if cached
+
+        fetch_and_cache_name(user_id)
+      end
+
+      # Resolve user ID to display name, handling bots
+      # @param user_id [String] Slack user or bot ID
+      # @return [String, nil] Display name or nil if not found
+      def resolve_name_or_bot(user_id)
+        return nil if user_id.to_s.empty?
+
+        cached = @cache.get_user(@workspace.name, user_id)
+        return cached if cached
+
+        if user_id.start_with?('B')
+          fetch_and_cache_bot_name(user_id)
+        else
+          fetch_and_cache_name(user_id)
+        end
+      end
+
+      # Find user ID by display name (reverse lookup)
+      # @param name [String] Display name to search for
+      # @return [String, nil] User ID or nil if not found
+      def find_id_by_name(name)
+        return nil if name.to_s.empty?
+
+        cached = @cache.get_user_id_by_name(@workspace.name, name)
+        return cached if cached
+
+        fetch_id_by_name(name)
+      end
+
+      private
+
+      def fetch_and_cache_name(user_id)
+        return nil unless @api
+
+        user = fetch_user(user_id)
+        return nil unless user
+
+        @cache.set_user(@workspace.name, user_id, user.best_name, persist: true)
+        user.best_name
+      rescue ApiError => e
+        @on_debug&.call("User lookup failed for #{user_id}: #{e.message}")
+        nil
+      end
+
+      def fetch_and_cache_bot_name(bot_id)
+        return nil unless @api
+
+        bots_api = Api::Bots.new(@api, @workspace, on_debug: @on_debug)
+        name = bots_api.get_name(bot_id)
+        @cache.set_user(@workspace.name, bot_id, name, persist: true) if name
+        name
+      rescue ApiError => e
+        @on_debug&.call("Bot lookup failed for #{bot_id}: #{e.message}")
+        nil
+      end
+
+      def fetch_user(user_id)
+        users_api = Api::Users.new(@api, @workspace, on_debug: @on_debug)
+        response = users_api.info(user_id)
+        return nil unless response['ok'] && response['user']
+
+        Models::User.from_api(response['user'])
+      end
+
+      def fetch_id_by_name(name)
+        return nil unless @api
+
+        users_api = Api::Users.new(@api, @workspace, on_debug: @on_debug)
+        users = users_api.list['members'] || []
+        user = find_user_by_name(users, name)
+        cache_user_from_api(user) if user
+        user&.dig('id')
+      rescue ApiError => e
+        @on_debug&.call("User list lookup failed: #{e.message}")
+        nil
+      end
+
+      def find_user_by_name(users, name)
+        users.find do |u|
+          u['name'] == name ||
+            u.dig('profile', 'display_name') == name ||
+            u.dig('profile', 'real_name') == name
+        end
+      end
+
+      def cache_user_from_api(user_data)
+        user = Models::User.from_api(user_data)
+        @cache.set_user(@workspace.name, user.id, user.best_name, persist: true)
+      end
+    end
+  end
+end